Of the 421 hacking/IT incidents and unauthorized access/disclosure incidents attributed to healthcare providers in the United States reported to the U.S. Department of Health and Human Services this year, the top 15 data breaches affected 24,755,791 individuals.
WHY IT’S IMPORTANT
The two largest healthcare data breaches this year are Change Healthcare, affecting 100 million individuals Kaiser Foundation Health Planwith 13.4 million individuals affected, according to a list of The 10 Biggest Health Data Breaches in the US by 2024. While these breaches far exceeded the impact across all types of HIPAA covered entities, healthcare provider network servers were still a prime target for hacking or unauthorized access/disclosure, based on a search of the breach portal data through December 30.
According to the HHS list of cases currently under investigation, the following 15 healthcare providers have suffered catastrophic breaches of their health data this year:
- Ascension Health, which affects 5,599,699 patients.
- Concentra Health Services, Inc., affecting 3,998,163 patients.
- Acadian Ambulance Service, Inc., involving 2,896,985 patients.
- Integris Health, which affected 2,385,646 patients.
- Summit Pathology/Summit Pathology Laboratories, Inc., involving 1,813,538 patients.
- Geisinger, affecting 1,276,026 patients.
- Eastern Radiologists, Inc., involving 886,746 patients.
- Superior Air-Ground Ambulance Service, Inc., serving 858,238 patients.
- Texas Tech University Health Sciences Center El Paso, affecting 815,000 patients.
- OnePoint patient care, affecting 795,916 patients.
- Ann & Robert H. Lurie Children’s Hospital of Chicago, which served 775,860 patients.
- Florida Department of Health, involving 729,699 patients.
- OrthopedicsNY, LLP, affecting 656,086 patients.
- Texas Tech University Health Sciences Center, which affects 650,000 patients.
- Risas Dental & Braces, which affected 618,189 patients.
Note that the federal healthcare data breach portal does not yet contain information about an alleged massive breach of a recent cyberattack on PIH Health. The California-based health care system publishes regularly website updates after a cyber incident on December 1, but declined to comment on an alleged circulating ransom note, as reported by the Whittier Daily News.
In the typed letter, the hackers claimed to have stolen approximately two terabytes of data, including 17 million patient records containing personal and medical information, photos, patient notes and more, according to the Dec. 14 report. story.
If forensic investigations reveal that data has indeed been exposed, the number of affected individuals in the top 15 data breaches against healthcare providers in the United States would increase to more than 40 million individuals by 2024.
THE BIG TREND
UnitedHealth Group said in May that it is rebuilding Change Healthcare with cloud-based security after it was devastated by a far-reaching ransomware attack on February 21 by the ALPHV ransomware gang.
However, the massive payment clearinghouse failure not only exposed the most electronically protected health information of any healthcare data breach in history, but also dramatically hampered patient care, forcing providers to avoid treatment delays with overwhelming financial burdens.
To address the growing threat of cyberattacks in healthcare, HHS and the Office for Civil Rights on Friday announced a notice of proposed rulemaking to change security standards for protecting electronically protected health information under the Health Insurance Portability and Accountability Act of 1996 and the Health Insurance Portability and Accountability Act of 1996. Economic and Clinical Health Information Technology Act of 2009.
Included are several new proposals that would require HIPAA covered entities to encrypt ePHI with few exceptions, implement multi-factor authentication, and inventory their technology assets.
“Cyberattacks continue to impact the healthcare industry, with the rampant escalation of ransomware and hacking causing a significant increase in the number of major breaches reported to OCR annually,” OCR Director Melanie Fontes Rainer said in a statement about the first HIPAA Security Rule update since 2013.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.